podman tries to lookup hostname which is used for ssh connection.

[catap]

Issue Description

I have a machine which fake name podman.island.local which is defined inside ~/.ssh/config. This machine runs podman and I may connect to it:

√ ~ % ssh [email protected] ls /run/podman/podman.sock         
/run/podman/podman.sock
√ ~ %

When I add this machine to connection as:

√ ~ % podman system connection list | grep island                          
island                       ssh://[email protected]:22/run/podman/podman.sock                                              false
√ ~ %

and tries to use it... it fails:

√ ~ % podman --log-level=trace -c island run hello-world
INFO[0000] podman filtering at log level trace          
DEBU[0000] Called run.PersistentPreRunE(podman --log-level=trace -c island run hello-world) 
DEBU[0000] Found SSH_AUTH_SOCK "/Users/catap/.gnupg/S.gpg-agent.ssh", ssh-agent signer enabled 
DEBU[0000] SSH Agent Key SHA256:YvWliM40Quk1glrOfaP9quPdddugNbOZuTGdukR8pfM ssh-rsa 
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: failed to connect: dial tcp: lookup podman.island.local: no such host
DEBU[0005] Shutting down engines                        
? ~ %

Steps to reproduce the issue

Steps to reproduce the issue

1. Add connection with impossible DNS name at ~/ssh/config
2. Add that machine to connections
3. Try to run something.

Describe the results you received

It fails.

Describe the results you expected

Should work.

podman info output

It's irrelevant for this case.

I'm using `podman version 4.7.1` on macOS.

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[afbjorklund]

Podman doesn't support ssh config at all, it defines "system connections" instead (for e.g. the key)

[catap]

@afbjorklund when I don't understand how can I define connection via hop. Usually it calls bastion.

[afbjorklund]

It would need a new feature, where the command would read and apply the normal ssh configuration.

https://github.com/containers/common/tree/main/pkg/ssh

You can probably use /etc/hosts as a workaround, or configure the podman connection using the IP?

[catap]

It won't work.

Idea of bastion is a single point to access to some protected environment. Usually I have access to it via -J option or ProxyJump setting in ~/.ssh/config.

This is widley used technic to improve security and have one place where user should be disabled on off-boarding.

[catap]

I see you're using https://pkg.go.dev/golang.org/x/crypto/ssh at the bottom of this.

It defiantly supports that I'm looking for but someone need to rework a bin NewConnectionWithIdentity.

Right now it expects ssh://<user>@<host>[:port]/run/podman/podman.sock?secure=True let keep it as fallback syntax and introduce the new one: ssh://<user>@<host>[:port]/unix:///run/podman/podman.sock?secure=True where instead unix:// someone may use tcp:// or even ssh:// to make a jump via server.

What do you think?

[afbjorklund]

@catap adding support for ProxyJump is a bigger feature, than just adding basic user, hostname and port (and key).

I was using this library for a quick test: http://github.com/kevinburke/ssh_config but that would not change the ssh.

commit b86031b6c848e88ea8077fd804416a27908cb151 (rebased)

# This SSH config file can be passed to 'ssh -F'.
Host podman-machine-default
  User core
  Hostname 127.0.0.1
  Port 46529
  IdentityFile "/home/anders/.ssh/podman-machine-default"
  IdentitiesOnly yes
  StrictHostKeyChecking no

[catap]

I disagree with you because I believe that it can be implemented with rework only one function NewConnectionWithIdentity into recursion one.

Idea of changes is quite simple. Instead of:

		connection = Connection{URI: _url}
		connection.Client = &http.Client{
			Transport: &http.Transport{
				DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
					return ssh.DialNet(conn, "unix", _url)
				},
			}}

someone should:

• concat path and query part of _url into new string a re-parse it, and if resulted URI hasn't got scheme to add unix://
• call NewConnectionWithIdentity with new url string :)

The next changes to make it works is adding sshCon *Con to argument of NewConnectionWithIdentity to route between ssh.Dial (the first hop) and ssh.NewClient (all another hops).

and that's it.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[catap]

Just ping as well...

[rhatdan]

@catap Best way to get this fixed would be to open a PR.

[catap]

On Sat, 03 Feb 2024 14:16:02 +0100, Daniel J Walsh wrote: @catap Best way to get this fixed would be to open a PR.

Indeed, but I have no idea when I have time to do it myself.

…

-- wbr, Kirill